USB PCAP Forensics: Graphics Tablet (NSEC CTF 2021 Writeup, Part 2/3)

Exploring the PCAP

As with last time, let’s do a bit of exploration to see what kind of data we’re dealing with. Obviously, it’s another USB PCAP. We have more packets (~4400) that span over ~60 seconds. Finally, we see that there are bytes in the “HID Data” column:

Extracting and understanding the data

Let’s use the same technique as with part 1. Simple and effective.

Thanks, osdev.org
Cyberchef is ❤

Recovering what was written

For this part, I used the python-Pillow library to create an image from scratch. The code is pretty self-explanatory:

from PIL import Image

mouse_events = [(0x80, 0x01, 0xfd), (0x80, 0x01, 0xfe), ... (0x80, 0xff, 0xfa)]

# Make the image big because we don't know how long the message is
img = Image.new('RGB', (10000, 10000), color='white')
canvas = img.load()

# Start the cursor in the middle of the canvas
mouse_x = 5000
mouse_y = 5000

for data in mouse_events:
# Get the left mouse button status
left_button_pressed = data[0] & 0b00000001

# Get the mouse movement in x and y
x_offset = int.from_bytes(data[1:2], "big", signed=True)
y_offset = int.from_bytes(data[2:3], "big", signed=True)

mouse_x += x_offset
mouse_y += y_offset

if left_button_pressed:
# These two for loops are to make the pixels thicker
for i in range(5):
for j in range(5):
# Write a black pixel on the canvas
canvas[round(mouse_x) + i, round(mouse_y) + j] = (0, 0, 0)

# Save the image to disk
img.save("final.png")
$$$

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Émilio Gonzalez

Émilio Gonzalez

8 Followers

Blue team analyst in Quebec, Canada. Passionate about cybersecurity and urbanism. Twitter: @res260 https://twitter.com/res260